866 matches found
Missing Origin Validation in WebSockets
Overview @theia/terminal is a Theia - Terminal Extension Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints when origin validation is bypassed due to missing or manipulated headers. An attacker c...
Missing Origin Validation in WebSockets
Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints whe...
Malicious code in @dervix/ws (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69 Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage...
Astra Linux – Vulnerability in Chromium
Insufficient validation of untrusted inputs in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass the same-origin policy through a crafted HTML page. Chromium security severity: Low...
Deno: WebSocket API sandbox bypass via missing post-DNS check
Summary When a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a...
CVE-2026-53522
Summary: Nezha Monitoring (versions 1.0.0–before 2.2.0) exposes two endpoints that create long-lived WebSocket streams, allowing resource exhaustion due to unbounded per-stream tracking. The endpoints are POST /api/v1/terminal (terminal.go) and POST /api/v1/file (fm.go), which call CreateStream t...
SUSE CVE-2026-11068
Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
Chromium: CVE-2026-11068 Use after free in WebSockets
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
[SECURITY] Fedora 44 Update: libre-4.8.1-1.fc44
Libre is a generic library for real-time communications with async I/O support. Features are a SIP stack RFC 3261, SDP, RTP and RTCP, SRTP and SRTCP Secure RTP, DNS client, STUN/TURN/ICE stack, BFCP, HTTP stack with client/server, Websockets, Jitter buffer, async I/O poll, epoll, select, kqueue,...
DEBIAN-CVE-2026-11068
Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-11068
Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-11068
Summary: CVE-2026-11068 is a use-after-free in Chrome’s WebSockets implementation that could allow remote code execution inside a sandbox. The issue affects Google Chrome builds prior to version 149.0.7827.53. The vulnerability description across multiple sources aligns on the same root cause and...
CVE-2026-11068
Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...
PYSEC-2026-213
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
PT-2026-46596
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description A use after free issue exists in WebSockets, which allows a remote attacker to execute arbitrary code within a sandbox by utilizing a crafted HTML page. Use after free is a memory...
Missing Origin Validation in WebSockets
Overview kanban is an A kanban foundation for coding agents Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets due to the lack of enforcement of origin and host policy. An attacker can gain unauthorized access to sensitive data and perform actions on behal...
CVE-2026-48779
creationtimestamp| type| source ---|---|--- 2026-05-22 18:05:36+00:00| published-proof-of-concept| https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p 2026-06-17 00:09:20+00:00| seen| https://gist.github.com/djlan/becffd7152d874641e42038b1b748f54 2026-06-17 00:55:40+00:00|...
Astra Linux – Vulnerability in Chromium
Before version 88.0.4324.182, using use after free in Web Sockets with Google Chrome on Linux allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...
CVE-2025-27853
The locally served web site on the Garmin WDU v1 1.4.6 and v2 5.0 allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An...
PT-2026-39754
Name of the Vulnerable Software and Affected Versions Next.js versions 15.2.0 through 15.5.17 Next.js versions 16.0.0 through 16.2.5 Description A flaw exists where a previous security fix was not correctly applied to middleware.ts when used in conjunction with Turbopack, a high-performance...